Best Practice: Formatting query output using select() | Knowledge Base | LogScale Documentation

Skip to content

LogScale Documentation Library KB Release Notes Integrations Query Examples Training API GraphQL Search Archives Contact Support

Best Practice: Formatting query output using select()

Note

⌛ Article is more than two years old.

LogScale has several functions that perform formatting tasks for your query output. While the table() is an option, the select() function is easier to use.

// Get all user logon events for User SID S-1-5-21-*
#event_simpleName=UserLogon event_platform=Win UserSid="S-1-5-21-*"
// Invoke saved query to enrich UserIsAdmin field
| $ConvertUserIsAdmin()
// Use select to output in tabular format
| select([@timestamp, aid, ClientComputerName, UserName, LogonType, UserIsAdmin_Readable])

An example of formatted query output using select()

Note that this example uses a saved query. To read more about how to create and invoke a saved query, see our kb article Best Practice: Leveraging saved queries as functions.

Enter search term